At present, problems of address resource shortages and insufficient support for new services are gradually exposed during use of Internet Protocol version 4 (IPv4). Internet Protocol version 6 (IPv6) is in a stage of small-scale piloting to large-scale use. With the large-scale use of the IPv6, its security problem becomes increasingly prominent, affecting operations of operators.
A path maximum transmission unit (MTU) is a technology used in various protocols to search for an MTU supported on an entire path on the Internet, and fragmentation transmission may not be performed for data less than an MTU limitation. A path MTU discovery mechanism discovers a minimal MTU on all paths from a source node to a destination node by using an Internet Control Message Protocol version 6 (ICMPv6) protocol.
The IPv6 protocol specifies that a data forwarding node does not perform a fragmentation operation, the source node performs the fragmentation, and the destination node performs fragment reassembly. If the path MTU discovery mechanism is not used, a node on an IPv6 network uses default 1280 bytes as a path MTU, and a fragmentation operation needs to be performed for all data packets greater than 1280 bytes. Therefore, by using the path MTU discovery mechanism, a probability of fragmentation can be lowered, and at the same time network transmission efficiency can be improved.
Based on the foregoing path MTU discovery mechanism, a malicious node may increase a processing load of an attacked node by sending a forged and false Internet Control Message Protocol (ICMP) message to the attacked node, thereby causing a stacking overload of the attacked node or interruption of normal communication between the attacked node and one or more other nodes.
At present, generally a path MTU attack can be avoided only by disabling the function of the path MTU discovery mechanism. However, this reduces the network transmission efficiency. Therefore, no effective protection measures are provided.